The Secure Sockets Layer (SSL) certificate allows whoever is
wielding it to set up fraudulent Web pages under a legitimate
Google domain name; the victims, security researchers say, would
believe they were on a perfectly safe Google site while, behind
the scenes, attackers could harvest all their personal
information.

"This type of attack allows someone to eavesdrop on encrypted
traffic, allowing them to decipher traffic which would otherwise
not be possible," Kaspersky Lab researcher Roel Schouwenberg told
SecurityNewsDaily.

Why is this so scary?

Most phishing emails or spoofed websites look legitimate, but
close inspection will reveal a
misspelled URL or an unencrypted Web session, or a
third-party Web page that bears no resemblance to the original
address. Anti-virus software often will detect these rogue pages
as threats before they even get to you.

A stolen SSL certificate, however, could mean that when you log
on to your Gmail account, or receive an email with a link to any
Google.com Web domain (a YouTube video, for example), all of your
credentials could be up for grabs.

"This particular certificate is a so-called 'wildcard'
certificate," Schouwenberg said. "It's valid for any google.com
subdomain. This means this certificate allows an attacker to
eavesdrop on virtually all of Google's services, including Gmail,
while the traffic is
encrypted. This will allow the attacker to not only
read/write emails but also grab the target's Google credentials."

Even worse, your computer — and you — would never even know,
because nothing about the site would seem off. After all, the
attack could take place on an encrypted Gmail page.

How did it happen?

Hackers accessed the SSL certificate on July 19 from DigiNotar, a
Dutch certificate authority, which said in a
press release that the breach "resulted in the fraudulent
issuance of public key certificate requests for a number of
domains, including Google.com."

DigiNotar said it revoked all the fraudulently issued
certificates, but "recently, it was discovered that at least one
fraudulent certificate had not been revoked at the time."

That certificate, for Google.com, has since been revoked, but it
existed in the wild for more than five weeks.

An email to DigiNotar was not returned.

Who is behind the hack?

"This type of attack is mostly suited to intelligence/espionage
operations," Schouwenberg said. "We have to keep in mind that
these attacks are quite targeted and most likely carried out by
nation-states."

However, Hypponen came across another defaced DigiNotar Web page
that reads, "Hacked by Black.Spook! Persian Gulf For Ever!!!"

"If you keep digging deeper, you'll find that although these Web
defacements are still live right now, they are not new," Hypponen
wrote. "Much worse: They were done years ago. In fact, these
hacks are so old, it's unlikely they are connected to the current
problem. Or at least so we hope."

What can you do?

"Unfortunately, there are only very few solutions for this type
of problem," Schouwenberg told SecurityNewsDaily. "Right now, we
have to rely on the browser makers to release an update to the
browser which blacklists this particular certificate."